In a breach that some are saying is the most embarrassing and costly breach in crypto history, Coinbase has confirmed a major security incident that has exposed the sensitive data of hundreds of thousands of users.

The company’s own contract employees were bribed by the hackers who then demanded a $20 million ransom to delete the information they had stolen. Coinbase’s response? Refuse to pay and put a bounty on the hackers’ heads.

A Backdoor Through Customer Support

Coinbase was breached in a cybersecurity attack that spanned several months, starting in January 2025. A group of hackers targeted contract workers in the company’s customer support division, paying them for access to the information that was accessed during the hack. Using this phishing-like approach to get inside, the hackers then worked for five months to move laterally through the system and exfiltrate a staggering amount of data. It’s unclear how much they got away with, or how many people’s data was compromised, but the amount seemed certainly in the millions.

The breached data is some of the most sensitive that any cryptocurrency exchange could hold. It contains everything from full names, contact details, and government-issued ID images, to what users had in their crypto wallets and in transaction histories, as well as IP addresses that can be used to tie them to specific locations. The very kind of breach that shouldn’t be possible. This is bad for customers, yes. But at a certain point, it also becomes bad for society. When you’re not revealing the full story via the ID images and government-issued papers that were also part of the compromised data, you’re not really secure.

What’s particularly alarming is that this was not caused by a software vulnerability or an infrastructure flaw. It was social engineering at its most effective—exploiting the financial vulnerabilities of underpaid contractors to get inside one of the most valuable crypto exchanges in the world.

The Ransom Demand and Armstrong’s Defiant Stand

The hackers struck after several months of gathering information. They emailed Coinbase to say they’d release the data if we didn’t pay them $20 million. They claimed they had pretty much everything they could want from the inside of Coinbase, and they told us in detail what kind of information they’d gotten.

Confronted with this decision, the Coinbase CEO Brian Armstrong could have chosen one of two paths. He could have gone with the oft-trod route of most companies, which is to pay off the extortionists and protect customers, thus avoiding what could become a seriously public scandal. Or he could have taken the much less traveled path of standing up to the bad guys. Armstong took the latter route and stunned the digital currency world with his decision.

He declined to pay. Instead, Coinbase put up a $20 million reward — the same sum the hackers demanded — for information that would lead to the capture and conviction of the cybercriminals. Then the company went public with the breach, describing not only how it had come about but also how many customers had been affected and what it was doing to limit the damage.

About 1% of the monthly active users of Coinbase were affected; that amounts to hundreds of thousands of people. The total cost of the incident is estimated to fall somewhere between $180 million and $400 million. The calculations break down into user reimbursements, payments to boost various security measures, legal expenses, and long-term damage to Coinbase’s brand reputation. But for Armstrong, the key takeaway wasn’t the cash cost, but rather the payoff in messaginess: paying a ransom doesn’t ensure safety; it only encourages more attacks.

Security, Outsourcing, and the Lessons Ahead

The problem has been glaringly illuminated by the breach: the vulnerabilities arising from the practice of outsourcing customer support to low-wage workers in foreign countries. Outsourcing such roles may be cost-effective — positively so from a business standpoint. But when it comes to security, this accessible business decision creates a risk that is exceedingly hard to keep an eye on and nearly impossible to eliminate. Underpaying employees, especially those with access to sensitive data, fills them with a sense of moral indignation that begs for a nice boost of cash to make it go away. And tempting someone with a bribe is a far sight easier when they are working in a cubicle half a world away and making a fraction of what their boss does.

Now Coinbase is giving back to the users who got directly scammed thanks to the breach, but only for incidents that happened prior to May 15. If you got scammed after that (and we’re not saying you will), do not expect to be made whole again. Going forward, Coinbase customer service is (allegedly) much improved, and the platform has put into place several new internal controls, alongside a revaluation of its contractor management policies.

The damage is done, however. The crypto community is just trying to cope with the recent disclosure that one of the most reliable platforms in the industry could suffer not from tech problems but from, shall we say, personnel issues. Armstrong’s decision to go public with the news and offer a bounty may well be a new way for companies to handle conversations around ransomware threats—”we are not paying ransoms to protect our secrets, and here is why”—but it also serves as a reminder that entire systems, for all their redundancy and cleverness, can be subject to human error.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!

The post Coinbase Suffers $400M Breach After Employees Sold Customer Data to Hackers appeared first on The Merkle News.